Japan Vulnerability NotesJVN:15808274JVN#15808274: e-Gov Client Application fails to restrict custom URL schemes properly
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS
Percentile
20.2%
e-Gov Client Application is installed, a Custom URL Scheme is configured on the system to enable invoking the product through a web browser.
This custom URL contains the information about the website which the product should access, and a crafted URL may direct the application to access an unexpected website (CWE-939).
Impact
A crafted URL may direct the product to access an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution
Update the Product
Update the product to the latest version according to the information provided by the developer.
The developer released the following versions to fix the issue.
- e-Gov Client Application (Windows version) 2.1.1.0
- e-Gov Client Application (macOS version) 1.1.1.0
Products Affected
- e-Gov Client Application (Windows version) versions prior to 2.1.1.0
- e-Gov Client Application (macOS version) versions prior to 1.1.1.0
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS
Percentile
20.2%